Ensure images are selected using a digest
Error: Images are not selected using a digest
Bridgecrew Policy ID: BC_K8S_39
Checkov Check ID: CKV_K8S_43
Severity: LOW
Images are not selected using a digest
Description
In some cases you may prefer to use a fixed version of an image, rather than update to newer versions. Docker enables you to pull an image by its digest, specifying exactly which version of an image to pull.
Pulling using a digest allows you to “pin” an image to that version, and guarantee that the image you’re using is always the same. Digests also prevent race-conditions; if a new image is pushed while a deploy is in progress, different nodes may be pulling the images at different times, so some nodes have the new image, and some have the old one. Services automatically resolve tags to digests, so you don't need to manually specify a digest.
Fix - Runtime
CLI Command
To make sure the container always uses the same version of the image, you can specify its digest; replace <image-name>:<tag>
with <image-name>@<digest>
(for example, image@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
).
The digest uniquely identifies a specific version of the image, so it is never updated by Kubernetes unless you change the digest value.
Fix - Buildtime
Kubernetes
- Resource: image
- Argument: digest
apiVersion: v1
kind: Pod
metadata:
name: <Pod name>
spec:
containers:
- name: <container name>
image: image@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
{
"creator": 7,
"id": 2110,
"image_id": null,
"images": [
{
"architecture": "amd64",
"features": "",
"variant": null,
+ "digest": "sha256:1ae98b2c895d1ceeba8913ff79f422f005b7f967a311da520a88ac89180b4c39",
"os": "linux",
"os_features": "",
"os_version": null,
"size": 87342331
}
],
"last_updated": "2017-04-06T20:16:24.015937Z",
"last_updater": 2215,
"last_updater_username": "stackbrew",
"name": "centos5",
"repository": 54,
"full_size": 87342331,
"v2": true
}
Updated 10 months ago